Final HIPAA Enforcement Rule Published

On Feb. 16, 2006, the Department of Health and Human Services (HHS) paved the way for collecting penalties from covered entities who don’t comply with HIPAA with the publication of the final rule on the civil enforcement (the “Enforcement Rule”). The Enforcement Rule takes effect March 16, 2006 and replaces the interim rules that were issued in 2003.

Generally, the Enforcement Rule outlines rules for the imposition of civil monetary penalties (CMPs) on covered entities that violate HIPAA. Criminal actions remain in the domain of the Department of Justice and are not affected by the Enforcement Rule. The Enforcement Rule addresses the investigation process, bases of liability including liability for the actions of agents, determination of the penalty amounts, grounds for waiver, responsibilities of covered entities, the process for challenging a CMP determination, hearings, and appeals. The Enforcement Rule also specifies that investigations may be initiated by HHS in response to complaints or as part of a compliance review.

The final Enforcement Rule applies to all of the HIPAA administrative simplification provisions, rather than only privacy standards. Most of the provisions outlined in the proposed rule published on April 18, 2005, were left untouched in the final Enforcement Rule.

Of note, the Enforcement Rule makes it mandatory for HHS to impose a CMP if HHS determines that a HIPAA violation has occurred. The amount of the CMP will be determined in accordance with factors outlined in the Enforcement Rule. Although an act or omission that violates a specific and a general provision likely would be deemed a single violation, the preamble indicates that if a single act violates different standards, then “it is appropriate that such violations be treated separately.” An increased number of violations, of course, are likely to increase the total amount of CMPs.

The Enforcement Rule maintains HHS’s regulatory commitment to promoting and encouraging voluntary compliance with HIPAA; however, it seems likely that we will see some changes in the imposition of penalties for HIPAA violations.

The adoption of the final Enforcement Rule marks an attempt by HHS to clarify and establish a uniform enforcement and compliance policy for HIPAA. Covered entities that receive a notice of a complaint or investigation regarding a violation of any HIPAA rule—even if they have dealt with HHS investigations in the past—should consult legal counsel to discuss the implications of the Enforcement Rule.